SB2024031917 - Multiple vulnerabilities in PaperCut NG/MF

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2024-1222)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions at certain API endpoints. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-1654)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions within the admin console. A remote authenticated administrator can perform unauthorized write operations and execute arbitrary code on the system.

3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-1884)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

4) Code Injection (CVE-ID: CVE-2024-1882)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote administrator can execute code on the PaperCut Application Server in the context of SYSTEM  (Windows) or the papercut user (macOS/Linux).

5) Cross-site scripting (CVE-ID: CVE-2024-1883)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Information disclosure (CVE-ID: CVE-2024-1223)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application's API. A remote user can gain unauthorized access to sensitive information.

7) Information disclosure (CVE-ID: CVE-2024-1221)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to improper access restrictions within the API endpoints. A remote user can expose files on a Linux/macOS PaperCut NG/MF server.

Note, Windows PaperCut NG/MF application server is not affected by this vulnerability.

Remediation

Install update from vendor's website.

References

• https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
• https://www.zerodayinitiative.com/advisories/ZDI-24-782/
• https://www.zerodayinitiative.com/advisories/ZDI-24-783/
• https://www.zerodayinitiative.com/advisories/ZDI-24-785/
• https://www.zerodayinitiative.com/advisories/ZDI-24-784/